e40bf60a9520e2940a3e6693206cd4c7ddb5649480b16dc7e1ff681dc7e9c8c1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
Size

448KB
MD5

1b5f82b7a79ee91f859e5408d4117d90
SHA1

f19f56bbf935b3e46ba5b99d0de0be393d148338
SHA256

e40bf60a9520e2940a3e6693206cd4c7ddb5649480b16dc7e1ff681dc7e9c8c1
SHA512

a3bfadf077447335d7c200d8bafc8373e7bb19110fdeb83836b22a37478edf2c199183eb7282b2abb99190280c7cde231fd291d67c0a98540f254b31cc2055a8
SSDEEP

6144:h1L2RGQdO798szclBqckEjiPISUOgW9X+hOGzC/NM:h1fQd3vr1kmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\DWEKYSG.exe	family_berbew
C:\Windows\SysWOW64\OPHVYZ.exe	family_berbew
C:\Windows\System\XIYJP.exe	family_berbew
C:\Windows\SysWOW64\YLBN.exe	family_berbew
C:\Windows\JDRYDGV.exe	family_berbew
C:\Windows\System\OEB.exe	family_berbew
C:\Windows\BBNEAH.exe	family_berbew
C:\Windows\BKBBNY.exe	family_berbew
C:\Windows\System\UXN.exe	family_berbew
C:\windows\SysWOW64\WVS.exe	family_berbew
C:\Windows\System\MIRTUM.exe	family_berbew
C:\Windows\SysWOW64\UOWZFK.exe	family_berbew
C:\Windows\System\DRRPSBD.exe	family_berbew
C:\windows\system\TFIWM.exe	family_berbew
C:\Windows\SysWOW64\XIG.exe	family_berbew
C:\windows\system\ZGTDBM.exe	family_berbew
C:\Windows\System\RDLQ.exe	family_berbew
C:\Windows\ZRYW.exe	family_berbew
C:\Windows\SysWOW64\UEDGEN.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exeUXN.exeZEQMW.exeSGP.exeDLGIKFB.exeATA.exeZSMEHXF.exeZSNAAG.exeZUWLFAD.exeDAMGCC.exeYLBN.exeICQJ.exeSUBF.exeLMLZW.exeHTBFT.exeGHEPJ.exePXHH.exeZAOFS.exeXQO.exeBBNEAH.exeTFIWM.exeUEDGEN.exeKZWE.exeKZI.exeIMWYSFG.exeFBV.exeXIYJP.exeUOWZFK.exeLJOHV.exeQBNRBUD.exeQTO.exeSSWI.exeJKMRBA.exeEQB.exeZAFUQBP.exeVJVKOGO.exeGZUHOMR.exeOPHVYZ.exeDRRPSBD.exeGJZMVNL.exePLWHLX.exeSSA.exePKCAL.exeIVWWY.exeSYMTRY.exeAHC.exeLOFT.exeSRYB.exeGKPJ.exeNAH.exeNQCSP.exeCRGZXFG.exePTTF.exeYECC.exeLXPXLM.exeJRD.exeCGIDFB.exeTBXB.exeUQB.exeMLSD.exeULT.exeZGTDBM.exeIOA.exeCGD.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UXN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZEQMW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SGP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DLGIKFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ATA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZSMEHXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZSNAAG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZUWLFAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DAMGCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	YLBN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ICQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SUBF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LMLZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HTBFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GHEPJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PXHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZAOFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	XQO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BBNEAH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	TFIWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UEDGEN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	KZWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	KZI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IMWYSFG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	FBV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	XIYJP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UOWZFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LJOHV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QBNRBUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SSWI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	JKMRBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	EQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZAFUQBP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	VJVKOGO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GZUHOMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	OPHVYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DRRPSBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GJZMVNL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PLWHLX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PKCAL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IVWWY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SYMTRY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LOFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SRYB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GKPJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	NAH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	NQCSP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	CRGZXFG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PTTF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	YECC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LXPXLM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	JRD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	CGIDFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	TBXB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	MLSD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ULT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZGTDBM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	CGD.exe

Executes dropped EXE 64 IoCs

Processes:

DWEKYSG.exeOPHVYZ.exeXIYJP.exeYLBN.exeJDRYDGV.exeOEB.exeBBNEAH.exeBKBBNY.exeUXN.exeWVS.exeMIRTUM.exeUOWZFK.exeAJIALH.exeDRRPSBD.exeTFIWM.exeXIG.exeZGTDBM.exeRDLQ.exeZRYW.exeUEDGEN.exeBUEF.exeJAI.exeDSYXFAW.exeATA.exeLJOHV.exeICQJ.exeKZWE.exeSNI.exeXFSNDDP.exeMLQK.exeUYDQ.exeCTTM.exeGJZMVNL.exeWZAMC.exeSAKO.exeNNPXQE.exeEOVDDV.exeSYMTRY.exeLMLZW.exeAHC.exeZAFUQBP.exeWSHWCF.exePLWHLX.exeIOA.exeQBNRBUD.exeAZSMICL.exeYKVURI.exeGPIIC.exeZSMEHXF.exeCGD.exeLOFT.exeKZI.exeOHOJZU.exeHHEUIN.exeHNEIKA.exeRLKCZI.exeNQCSP.exeHEBQV.exeCRGZXFG.exeVJVKOGO.exeUUYA.exeKNB.exePTTF.exeCQTRYGC.exe

pid	process
2272	DWEKYSG.exe
3016	OPHVYZ.exe
1276	XIYJP.exe
464	YLBN.exe
1404	JDRYDGV.exe
2260	OEB.exe
1032	BBNEAH.exe
1400	BKBBNY.exe
4480	UXN.exe
1736	WVS.exe
4408	MIRTUM.exe
4856	UOWZFK.exe
1148	AJIALH.exe
4612	DRRPSBD.exe
4620	TFIWM.exe
4988	XIG.exe
4068	ZGTDBM.exe
1660	RDLQ.exe
3412	ZRYW.exe
964	UEDGEN.exe
1288	BUEF.exe
4292	JAI.exe
2260	DSYXFAW.exe
4452	ATA.exe
1756	LJOHV.exe
2256	ICQJ.exe
5036	KZWE.exe
4868	SNI.exe
1556	XFSNDDP.exe
4836	MLQK.exe
4408	UYDQ.exe
1752	CTTM.exe
4928	GJZMVNL.exe
2868	WZAMC.exe
3724	SAKO.exe
4620	NNPXQE.exe
1704	EOVDDV.exe
1084	SYMTRY.exe
3264	LMLZW.exe
4260	AHC.exe
4448	ZAFUQBP.exe
224	WSHWCF.exe
4564	PLWHLX.exe
4068	IOA.exe
2636	QBNRBUD.exe
1252	AZSMICL.exe
60	YKVURI.exe
992	GPIIC.exe
4944	ZSMEHXF.exe
1540	CGD.exe
3452	LOFT.exe
3824	KZI.exe
2252	OHOJZU.exe
4964	HHEUIN.exe
2136	HNEIKA.exe
560	RLKCZI.exe
2188	NQCSP.exe
1688	HEBQV.exe
752	CRGZXFG.exe
4056	VJVKOGO.exe
1124	UUYA.exe
4052	KNB.exe
5092	PTTF.exe
992	CQTRYGC.exe

Drops file in System32 directory 64 IoCs

Processes:

SAKO.exeZUWLFAD.exeGKPJ.exeFPO.exeTBXB.exeSGP.exeDWEKYSG.exeUOWZFK.exeBUEF.exeATA.exeRVBCHA.exeZFDUJM.exe1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exeZRYW.exeNQCSP.exeHEBQV.exeYVXDEDE.exeUYDQ.exeFER.exeZFWYI.exeDSDU.exeCGIDFB.exeWSHWCF.exeXUC.exeZFYN.exeZAOFS.exeKZWE.exeSOEOVWM.exeUEDGEN.exeZSMEHXF.exeQOD.exeFTVNF.exeJMMHOP.exeTFIWM.exeBRTTN.exeQTO.exeCQTRYGC.exeICQJ.exeISDT.exeEOVDDV.exeQKS.exeULT.exePEVE.exeOMV.exe

description	ioc	process
File opened for modification	C:\windows\SysWOW64\NNPXQE.exe	SAKO.exe
File created	C:\windows\SysWOW64\YNHBOG.exe.bat	ZUWLFAD.exe
File opened for modification	C:\windows\SysWOW64\QIUDVI.exe	GKPJ.exe
File created	C:\windows\SysWOW64\NCB.exe	FPO.exe
File opened for modification	C:\windows\SysWOW64\TUGD.exe	TBXB.exe
File created	C:\windows\SysWOW64\IVWWY.exe	SGP.exe
File created	C:\windows\SysWOW64\OPHVYZ.exe.bat	DWEKYSG.exe
File created	C:\windows\SysWOW64\AJIALH.exe.bat	UOWZFK.exe
File created	C:\windows\SysWOW64\JAI.exe.bat	BUEF.exe
File created	C:\windows\SysWOW64\LJOHV.exe	ATA.exe
File created	C:\windows\SysWOW64\VDHC.exe	RVBCHA.exe
File created	C:\windows\SysWOW64\ZAOFS.exe	ZFDUJM.exe
File created	C:\windows\SysWOW64\DWEKYSG.exe.bat	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\UEDGEN.exe.bat	ZRYW.exe
File opened for modification	C:\windows\SysWOW64\HEBQV.exe	NQCSP.exe
File created	C:\windows\SysWOW64\CRGZXFG.exe.bat	HEBQV.exe
File created	C:\windows\SysWOW64\SOEOVWM.exe	YVXDEDE.exe
File created	C:\windows\SysWOW64\LJOHV.exe.bat	ATA.exe
File created	C:\windows\SysWOW64\CTTM.exe.bat	UYDQ.exe
File created	C:\windows\SysWOW64\GZUHOMR.exe.bat	FER.exe
File created	C:\windows\SysWOW64\HTBFT.exe.bat	ZFWYI.exe
File opened for modification	C:\windows\SysWOW64\YNHBOG.exe	ZUWLFAD.exe
File opened for modification	C:\windows\SysWOW64\RQLFL.exe	DSDU.exe
File created	C:\windows\SysWOW64\BRTTN.exe	CGIDFB.exe
File created	C:\windows\SysWOW64\TUGD.exe.bat	TBXB.exe
File created	C:\windows\SysWOW64\PLWHLX.exe.bat	WSHWCF.exe
File created	C:\windows\SysWOW64\INKTUN.exe.bat	XUC.exe
File created	C:\windows\SysWOW64\ISDT.exe	ZFYN.exe
File created	C:\windows\SysWOW64\MLSD.exe	ZAOFS.exe
File opened for modification	C:\windows\SysWOW64\SNI.exe	KZWE.exe
File created	C:\windows\SysWOW64\QJE.exe.bat	SOEOVWM.exe
File opened for modification	C:\windows\SysWOW64\BUEF.exe	UEDGEN.exe
File created	C:\windows\SysWOW64\CGD.exe	ZSMEHXF.exe
File created	C:\windows\SysWOW64\FER.exe	QOD.exe
File created	C:\windows\SysWOW64\QJE.exe	SOEOVWM.exe
File opened for modification	C:\windows\SysWOW64\EDGD.exe	FTVNF.exe
File opened for modification	C:\windows\SysWOW64\VPX.exe	JMMHOP.exe
File opened for modification	C:\windows\SysWOW64\XIG.exe	TFIWM.exe
File opened for modification	C:\windows\SysWOW64\UEDGEN.exe	ZRYW.exe
File created	C:\windows\SysWOW64\RQLFL.exe.bat	DSDU.exe
File opened for modification	C:\windows\SysWOW64\NCB.exe	FPO.exe
File created	C:\windows\SysWOW64\ISDT.exe.bat	ZFYN.exe
File created	C:\windows\SysWOW64\MJAEX.exe.bat	BRTTN.exe
File created	C:\windows\SysWOW64\TBXB.exe.bat	QTO.exe
File opened for modification	C:\windows\SysWOW64\DTXN.exe	CQTRYGC.exe
File created	C:\windows\SysWOW64\QIUDVI.exe.bat	GKPJ.exe
File opened for modification	C:\windows\SysWOW64\KZWE.exe	ICQJ.exe
File opened for modification	C:\windows\SysWOW64\AJIALH.exe	UOWZFK.exe
File created	C:\windows\SysWOW64\KZWE.exe	ICQJ.exe
File created	C:\windows\SysWOW64\CGIDFB.exe	ISDT.exe
File created	C:\windows\SysWOW64\EDGD.exe	FTVNF.exe
File opened for modification	C:\windows\SysWOW64\SYMTRY.exe	EOVDDV.exe
File created	C:\windows\SysWOW64\DNA.exe.bat	QKS.exe
File created	C:\windows\SysWOW64\DTXN.exe.bat	CQTRYGC.exe
File created	C:\windows\SysWOW64\FER.exe.bat	QOD.exe
File created	C:\windows\SysWOW64\HTBFT.exe	ZFWYI.exe
File created	C:\windows\SysWOW64\VOJW.exe	ULT.exe
File created	C:\windows\SysWOW64\OMV.exe	PEVE.exe
File opened for modification	C:\windows\SysWOW64\ZFYN.exe	OMV.exe
File created	C:\windows\SysWOW64\XIG.exe.bat	TFIWM.exe
File created	C:\windows\SysWOW64\NNPXQE.exe	SAKO.exe
File created	C:\windows\SysWOW64\TUGD.exe	TBXB.exe
File created	C:\windows\SysWOW64\VPX.exe.bat	JMMHOP.exe
File created	C:\windows\SysWOW64\DTXN.exe	CQTRYGC.exe

Drops file in Windows directory 64 IoCs

Processes:

IOA.exeYKVURI.exePXHH.exeIVWWY.exeMMX.exePLWHLX.exeBGU.exeFDISVCO.exeNZBN.exeLMLZW.exeDTXN.exeUXNKH.exeSUBF.exeIPAU.exeWIHYD.exeAHC.exeVJVKOGO.exeBLD.exeVDHC.exeSSA.exeTUGD.exeDRRPSBD.exeZGTDBM.exeJAI.exeGJZMVNL.exeHHEUIN.exeCRGZXFG.exeDLGIKFB.exeGRYZ.exeNCB.exeNAFPVWQ.exeXBNDZ.exeXFSNDDP.exeCGD.exeRQLFL.exeFBV.exePKCAL.exeDAMGCC.exeYBQOYR.exeLJOHV.exeWZAMC.exePTTF.exeUGVLZ.exeDNA.exeWHXIW.exeILMDAGO.exeOPHVYZ.exeSYMTRY.exeLOFT.exeZSNAAG.exeMJAEX.exe

description	ioc	process
File created	C:\windows\QBNRBUD.exe.bat	IOA.exe
File created	C:\windows\GPIIC.exe.bat	YKVURI.exe
File opened for modification	C:\windows\JKMRBA.exe	PXHH.exe
File created	C:\windows\system\JTDFAC.exe.bat	IVWWY.exe
File opened for modification	C:\windows\VNZRRD.exe	MMX.exe
File created	C:\windows\IOA.exe	PLWHLX.exe
File created	C:\windows\YHW.exe.bat	BGU.exe
File created	C:\windows\system\YVXDEDE.exe	FDISVCO.exe
File created	C:\windows\system\PXHH.exe.bat	NZBN.exe
File opened for modification	C:\windows\AHC.exe	LMLZW.exe
File opened for modification	C:\windows\system\QWNL.exe	DTXN.exe
File opened for modification	C:\windows\system\LXPXLM.exe	UXNKH.exe
File created	C:\windows\system\LXFBJU.exe	SUBF.exe
File opened for modification	C:\windows\BLD.exe	IPAU.exe
File created	C:\windows\system\UTKG.exe.bat	WIHYD.exe
File created	C:\windows\ZAFUQBP.exe.bat	AHC.exe
File created	C:\windows\IOA.exe.bat	PLWHLX.exe
File created	C:\windows\UUYA.exe	VJVKOGO.exe
File created	C:\windows\BLD.exe	IPAU.exe
File created	C:\windows\ULT.exe.bat	BLD.exe
File opened for modification	C:\windows\system\FBV.exe	VDHC.exe
File created	C:\windows\WIHYD.exe.bat	SSA.exe
File created	C:\windows\BAKJ.exe	TUGD.exe
File opened for modification	C:\windows\system\TFIWM.exe	DRRPSBD.exe
File created	C:\windows\system\TFIWM.exe.bat	DRRPSBD.exe
File opened for modification	C:\windows\system\RDLQ.exe	ZGTDBM.exe
File created	C:\windows\system\DSYXFAW.exe.bat	JAI.exe
File created	C:\windows\system\WZAMC.exe	GJZMVNL.exe
File created	C:\windows\system\HNEIKA.exe.bat	HHEUIN.exe
File opened for modification	C:\windows\VJVKOGO.exe	CRGZXFG.exe
File opened for modification	C:\windows\system\UJFLWR.exe	DLGIKFB.exe
File opened for modification	C:\windows\QOD.exe	GRYZ.exe
File opened for modification	C:\windows\ZAHI.exe	NCB.exe
File created	C:\windows\DQGOU.exe.bat	NAFPVWQ.exe
File created	C:\windows\PKCAL.exe	XBNDZ.exe
File created	C:\windows\WIHYD.exe	SSA.exe
File created	C:\windows\system\MLQK.exe	XFSNDDP.exe
File created	C:\windows\system\LOFT.exe	CGD.exe
File opened for modification	C:\windows\YHW.exe	BGU.exe
File created	C:\windows\system\LXFBJU.exe.bat	SUBF.exe
File created	C:\windows\BLD.exe.bat	IPAU.exe
File opened for modification	C:\windows\ZEQMW.exe	RQLFL.exe
File created	C:\windows\system\NPA.exe	FBV.exe
File opened for modification	C:\windows\BAKJ.exe	TUGD.exe
File created	C:\windows\SSWI.exe.bat	PKCAL.exe
File opened for modification	C:\windows\HIS.exe	DAMGCC.exe
File created	C:\windows\RTGZHS.exe.bat	YBQOYR.exe
File opened for modification	C:\windows\system\ICQJ.exe	LJOHV.exe
File created	C:\windows\SAKO.exe.bat	WZAMC.exe
File created	C:\windows\system\CQTRYGC.exe.bat	PTTF.exe
File created	C:\windows\system\SRYB.exe.bat	UGVLZ.exe
File opened for modification	C:\windows\ZSNAAG.exe	DNA.exe
File created	C:\windows\system\YECC.exe.bat	WHXIW.exe
File opened for modification	C:\windows\RTGZHS.exe	YBQOYR.exe
File created	C:\windows\DQGOU.exe	NAFPVWQ.exe
File created	C:\windows\BAKJ.exe.bat	TUGD.exe
File opened for modification	C:\windows\PKCAL.exe	XBNDZ.exe
File created	C:\windows\XBNDZ.exe	ILMDAGO.exe
File created	C:\windows\system\XIYJP.exe.bat	OPHVYZ.exe
File created	C:\windows\LMLZW.exe	SYMTRY.exe
File created	C:\windows\system\KZI.exe	LOFT.exe
File opened for modification	C:\windows\ULT.exe	BLD.exe
File opened for modification	C:\windows\system\DBHI.exe	ZSNAAG.exe
File created	C:\windows\UXNKH.exe	MJAEX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3856	3588	WerFault.exe	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
4836	2272	WerFault.exe	DWEKYSG.exe
1708	3016	WerFault.exe	OPHVYZ.exe
1540	1276	WerFault.exe	XIYJP.exe
3832	464	WerFault.exe	YLBN.exe
2096	1404	WerFault.exe	JDRYDGV.exe
1096	2260	WerFault.exe	OEB.exe
3748	1032	WerFault.exe	BBNEAH.exe
928	1400	WerFault.exe	BKBBNY.exe
4320	4480	WerFault.exe	UXN.exe
1860	1736	WerFault.exe	WVS.exe
4244	4408	WerFault.exe	MIRTUM.exe
1752	4856	WerFault.exe	UOWZFK.exe
3876	1148	WerFault.exe	AJIALH.exe
3924	4612	WerFault.exe	DRRPSBD.exe
4048	4620	WerFault.exe	TFIWM.exe
1860	4988	WerFault.exe	XIG.exe
4564	4068	WerFault.exe	ZGTDBM.exe
2992	1660	WerFault.exe	RDLQ.exe
1032	3412	WerFault.exe	ZRYW.exe
4084	964	WerFault.exe	UEDGEN.exe
4200	1288	WerFault.exe	BUEF.exe
1420	4292	WerFault.exe	JAI.exe
4988	2260	WerFault.exe	DSYXFAW.exe
2024	4452	WerFault.exe	ATA.exe
3036	1756	WerFault.exe	LJOHV.exe
1032	2256	WerFault.exe	ICQJ.exe
2964	5036	WerFault.exe	KZWE.exe
4644	4868	WerFault.exe	SNI.exe
1544	1556	WerFault.exe	XFSNDDP.exe
4776	4836	WerFault.exe	MLQK.exe
2028	4408	WerFault.exe	UYDQ.exe
3468	1752	WerFault.exe	CTTM.exe
3708	4928	WerFault.exe	GJZMVNL.exe
4056	2868	WerFault.exe	WZAMC.exe
4668	3724	WerFault.exe	SAKO.exe
3952	4620	WerFault.exe	NNPXQE.exe
776	1704	WerFault.exe	EOVDDV.exe
3436	1084	WerFault.exe	SYMTRY.exe
4624	3264	WerFault.exe	LMLZW.exe
3744	4260	WerFault.exe	AHC.exe
3556	4448	WerFault.exe	ZAFUQBP.exe
764	224	WerFault.exe	WSHWCF.exe
2888	4564	WerFault.exe	PLWHLX.exe
4916	4068	WerFault.exe	IOA.exe
3880	2636	WerFault.exe	QBNRBUD.exe
3924	1252	WerFault.exe	AZSMICL.exe
3412	60	WerFault.exe	YKVURI.exe
1732	992	WerFault.exe	GPIIC.exe
1812	4944	WerFault.exe	ZSMEHXF.exe
4804	1540	WerFault.exe	CGD.exe
3436	3452	WerFault.exe	LOFT.exe
3196	3824	WerFault.exe	KZI.exe
2692	2252	WerFault.exe	OHOJZU.exe
2436	4964	WerFault.exe	HHEUIN.exe
3444	2136	WerFault.exe	HNEIKA.exe
3008	560	WerFault.exe	RLKCZI.exe
1152	2188	WerFault.exe	NQCSP.exe
4068	1688	WerFault.exe	HEBQV.exe
1564	752	WerFault.exe	CRGZXFG.exe
2884	4056	WerFault.exe	VJVKOGO.exe
4032	1124	WerFault.exe	UUYA.exe
5060	4052	WerFault.exe	KNB.exe
1556	5092	WerFault.exe	PTTF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exeDWEKYSG.exeOPHVYZ.exeXIYJP.exeYLBN.exeJDRYDGV.exeOEB.exeBBNEAH.exeBKBBNY.exeUXN.exeWVS.exeMIRTUM.exeUOWZFK.exeAJIALH.exeDRRPSBD.exeTFIWM.exeXIG.exeZGTDBM.exeRDLQ.exeZRYW.exeUEDGEN.exeBUEF.exeJAI.exeDSYXFAW.exeATA.exeLJOHV.exeICQJ.exeKZWE.exeSNI.exeXFSNDDP.exeMLQK.exeUYDQ.exe

pid	process
3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
2272	DWEKYSG.exe
2272	DWEKYSG.exe
3016	OPHVYZ.exe
3016	OPHVYZ.exe
1276	XIYJP.exe
1276	XIYJP.exe
464	YLBN.exe
464	YLBN.exe
1404	JDRYDGV.exe
1404	JDRYDGV.exe
2260	OEB.exe
2260	OEB.exe
1032	BBNEAH.exe
1032	BBNEAH.exe
1400	BKBBNY.exe
1400	BKBBNY.exe
4480	UXN.exe
4480	UXN.exe
1736	WVS.exe
1736	WVS.exe
4408	MIRTUM.exe
4408	MIRTUM.exe
4856	UOWZFK.exe
4856	UOWZFK.exe
1148	AJIALH.exe
1148	AJIALH.exe
4612	DRRPSBD.exe
4612	DRRPSBD.exe
4620	TFIWM.exe
4620	TFIWM.exe
4988	XIG.exe
4988	XIG.exe
4068	ZGTDBM.exe
4068	ZGTDBM.exe
1660	RDLQ.exe
1660	RDLQ.exe
3412	ZRYW.exe
3412	ZRYW.exe
964	UEDGEN.exe
964	UEDGEN.exe
1288	BUEF.exe
1288	BUEF.exe
4292	JAI.exe
4292	JAI.exe
2260	DSYXFAW.exe
2260	DSYXFAW.exe
4452	ATA.exe
4452	ATA.exe
1756	LJOHV.exe
1756	LJOHV.exe
2256	ICQJ.exe
2256	ICQJ.exe
5036	KZWE.exe
5036	KZWE.exe
4868	SNI.exe
4868	SNI.exe
1556	XFSNDDP.exe
1556	XFSNDDP.exe
4836	MLQK.exe
4836	MLQK.exe
4408	UYDQ.exe
4408	UYDQ.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
2272	DWEKYSG.exe
2272	DWEKYSG.exe
3016	OPHVYZ.exe
3016	OPHVYZ.exe
1276	XIYJP.exe
1276	XIYJP.exe
464	YLBN.exe
464	YLBN.exe
1404	JDRYDGV.exe
1404	JDRYDGV.exe
2260	OEB.exe
2260	OEB.exe
1032	BBNEAH.exe
1032	BBNEAH.exe
1400	BKBBNY.exe
1400	BKBBNY.exe
4480	UXN.exe
4480	UXN.exe
1736	WVS.exe
1736	WVS.exe
4408	MIRTUM.exe
4408	MIRTUM.exe
4856	UOWZFK.exe
4856	UOWZFK.exe
1148	AJIALH.exe
1148	AJIALH.exe
4612	DRRPSBD.exe
4612	DRRPSBD.exe
4620	TFIWM.exe
4620	TFIWM.exe
4988	XIG.exe
4988	XIG.exe
4068	ZGTDBM.exe
4068	ZGTDBM.exe
1660	RDLQ.exe
1660	RDLQ.exe
3412	ZRYW.exe
3412	ZRYW.exe
964	UEDGEN.exe
964	UEDGEN.exe
1288	BUEF.exe
1288	BUEF.exe
4292	JAI.exe
4292	JAI.exe
2260	DSYXFAW.exe
2260	DSYXFAW.exe
4452	ATA.exe
4452	ATA.exe
1756	LJOHV.exe
1756	LJOHV.exe
2256	ICQJ.exe
2256	ICQJ.exe
5036	KZWE.exe
5036	KZWE.exe
4868	SNI.exe
4868	SNI.exe
1556	XFSNDDP.exe
1556	XFSNDDP.exe
4836	MLQK.exe
4836	MLQK.exe
4408	UYDQ.exe
4408	UYDQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.execmd.exeDWEKYSG.execmd.exeOPHVYZ.execmd.exeXIYJP.execmd.exeYLBN.execmd.exeJDRYDGV.execmd.exeOEB.execmd.exeBBNEAH.execmd.exeBKBBNY.execmd.exeUXN.execmd.exeWVS.execmd.exe

description	pid	process	target process
PID 3588 wrote to memory of 4588	3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe	cmd.exe
PID 3588 wrote to memory of 4588	3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe	cmd.exe
PID 3588 wrote to memory of 4588	3588	1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe	cmd.exe
PID 4588 wrote to memory of 2272	4588	cmd.exe	DWEKYSG.exe
PID 4588 wrote to memory of 2272	4588	cmd.exe	DWEKYSG.exe
PID 4588 wrote to memory of 2272	4588	cmd.exe	DWEKYSG.exe
PID 2272 wrote to memory of 1596	2272	DWEKYSG.exe	cmd.exe
PID 2272 wrote to memory of 1596	2272	DWEKYSG.exe	cmd.exe
PID 2272 wrote to memory of 1596	2272	DWEKYSG.exe	cmd.exe
PID 1596 wrote to memory of 3016	1596	cmd.exe	OPHVYZ.exe
PID 1596 wrote to memory of 3016	1596	cmd.exe	OPHVYZ.exe
PID 1596 wrote to memory of 3016	1596	cmd.exe	OPHVYZ.exe
PID 3016 wrote to memory of 4340	3016	OPHVYZ.exe	cmd.exe
PID 3016 wrote to memory of 4340	3016	OPHVYZ.exe	cmd.exe
PID 3016 wrote to memory of 4340	3016	OPHVYZ.exe	cmd.exe
PID 4340 wrote to memory of 1276	4340	cmd.exe	XIYJP.exe
PID 4340 wrote to memory of 1276	4340	cmd.exe	XIYJP.exe
PID 4340 wrote to memory of 1276	4340	cmd.exe	XIYJP.exe
PID 1276 wrote to memory of 2060	1276	XIYJP.exe	cmd.exe
PID 1276 wrote to memory of 2060	1276	XIYJP.exe	cmd.exe
PID 1276 wrote to memory of 2060	1276	XIYJP.exe	cmd.exe
PID 2060 wrote to memory of 464	2060	cmd.exe	YLBN.exe
PID 2060 wrote to memory of 464	2060	cmd.exe	YLBN.exe
PID 2060 wrote to memory of 464	2060	cmd.exe	YLBN.exe
PID 464 wrote to memory of 984	464	YLBN.exe	cmd.exe
PID 464 wrote to memory of 984	464	YLBN.exe	cmd.exe
PID 464 wrote to memory of 984	464	YLBN.exe	cmd.exe
PID 984 wrote to memory of 1404	984	cmd.exe	JDRYDGV.exe
PID 984 wrote to memory of 1404	984	cmd.exe	JDRYDGV.exe
PID 984 wrote to memory of 1404	984	cmd.exe	JDRYDGV.exe
PID 1404 wrote to memory of 560	1404	JDRYDGV.exe	cmd.exe
PID 1404 wrote to memory of 560	1404	JDRYDGV.exe	cmd.exe
PID 1404 wrote to memory of 560	1404	JDRYDGV.exe	cmd.exe
PID 560 wrote to memory of 2260	560	cmd.exe	OEB.exe
PID 560 wrote to memory of 2260	560	cmd.exe	OEB.exe
PID 560 wrote to memory of 2260	560	cmd.exe	OEB.exe
PID 2260 wrote to memory of 1512	2260	OEB.exe	cmd.exe
PID 2260 wrote to memory of 1512	2260	OEB.exe	cmd.exe
PID 2260 wrote to memory of 1512	2260	OEB.exe	cmd.exe
PID 1512 wrote to memory of 1032	1512	cmd.exe	BBNEAH.exe
PID 1512 wrote to memory of 1032	1512	cmd.exe	BBNEAH.exe
PID 1512 wrote to memory of 1032	1512	cmd.exe	BBNEAH.exe
PID 1032 wrote to memory of 1504	1032	BBNEAH.exe	cmd.exe
PID 1032 wrote to memory of 1504	1032	BBNEAH.exe	cmd.exe
PID 1032 wrote to memory of 1504	1032	BBNEAH.exe	cmd.exe
PID 1504 wrote to memory of 1400	1504	cmd.exe	BKBBNY.exe
PID 1504 wrote to memory of 1400	1504	cmd.exe	BKBBNY.exe
PID 1504 wrote to memory of 1400	1504	cmd.exe	BKBBNY.exe
PID 1400 wrote to memory of 2852	1400	BKBBNY.exe	cmd.exe
PID 1400 wrote to memory of 2852	1400	BKBBNY.exe	cmd.exe
PID 1400 wrote to memory of 2852	1400	BKBBNY.exe	cmd.exe
PID 2852 wrote to memory of 4480	2852	cmd.exe	UXN.exe
PID 2852 wrote to memory of 4480	2852	cmd.exe	UXN.exe
PID 2852 wrote to memory of 4480	2852	cmd.exe	UXN.exe
PID 4480 wrote to memory of 2536	4480	UXN.exe	cmd.exe
PID 4480 wrote to memory of 2536	4480	UXN.exe	cmd.exe
PID 4480 wrote to memory of 2536	4480	UXN.exe	cmd.exe
PID 2536 wrote to memory of 1736	2536	cmd.exe	WVS.exe
PID 2536 wrote to memory of 1736	2536	cmd.exe	WVS.exe
PID 2536 wrote to memory of 1736	2536	cmd.exe	WVS.exe
PID 1736 wrote to memory of 4808	1736	WVS.exe	cmd.exe
PID 1736 wrote to memory of 4808	1736	WVS.exe	cmd.exe
PID 1736 wrote to memory of 4808	1736	WVS.exe	cmd.exe
PID 4808 wrote to memory of 4408	4808	cmd.exe	MIRTUM.exe

C:\Users\Admin\AppData\Local\Temp\1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b5f82b7a79ee91f859e5408d4117d90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DWEKYSG.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\windows\SysWOW64\DWEKYSG.exe
C:\windows\system32\DWEKYSG.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OPHVYZ.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\windows\SysWOW64\OPHVYZ.exe
C:\windows\system32\OPHVYZ.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XIYJP.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\windows\system\XIYJP.exe
C:\windows\system\XIYJP.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLBN.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\windows\SysWOW64\YLBN.exe
C:\windows\system32\YLBN.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JDRYDGV.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\windows\JDRYDGV.exe
C:\windows\JDRYDGV.exe
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OEB.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\windows\system\OEB.exe
C:\windows\system\OEB.exe
13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BBNEAH.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\windows\BBNEAH.exe
C:\windows\BBNEAH.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BKBBNY.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\windows\BKBBNY.exe
C:\windows\BKBBNY.exe
17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UXN.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\windows\system\UXN.exe
C:\windows\system\UXN.exe
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVS.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\windows\SysWOW64\WVS.exe
C:\windows\system32\WVS.exe
21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MIRTUM.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\windows\system\MIRTUM.exe
C:\windows\system\MIRTUM.exe
23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UOWZFK.exe.bat" "
24⤵
PID:624

C:\windows\SysWOW64\UOWZFK.exe
C:\windows\system32\UOWZFK.exe
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJIALH.exe.bat" "
26⤵
PID:3472

C:\windows\SysWOW64\AJIALH.exe
C:\windows\system32\AJIALH.exe
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRRPSBD.exe.bat" "
28⤵
PID:776

C:\windows\system\DRRPSBD.exe
C:\windows\system\DRRPSBD.exe
29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFIWM.exe.bat" "
30⤵
PID:4796

C:\windows\system\TFIWM.exe
C:\windows\system\TFIWM.exe
31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIG.exe.bat" "
32⤵
PID:2084

C:\windows\SysWOW64\XIG.exe
C:\windows\system32\XIG.exe
33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGTDBM.exe.bat" "
34⤵
PID:3716

C:\windows\system\ZGTDBM.exe
C:\windows\system\ZGTDBM.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RDLQ.exe.bat" "
36⤵
PID:2636

C:\windows\system\RDLQ.exe
C:\windows\system\RDLQ.exe
37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZRYW.exe.bat" "
38⤵
PID:3748

C:\windows\ZRYW.exe
C:\windows\ZRYW.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEDGEN.exe.bat" "
40⤵
PID:4180

C:\windows\SysWOW64\UEDGEN.exe
C:\windows\system32\UEDGEN.exe
41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUEF.exe.bat" "
42⤵
PID:2884

C:\windows\SysWOW64\BUEF.exe
C:\windows\system32\BUEF.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAI.exe.bat" "
44⤵
PID:3144

C:\windows\SysWOW64\JAI.exe
C:\windows\system32\JAI.exe
45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DSYXFAW.exe.bat" "
46⤵
PID:3212

C:\windows\system\DSYXFAW.exe
C:\windows\system\DSYXFAW.exe
47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATA.exe.bat" "
48⤵
PID:1596

C:\windows\system\ATA.exe
C:\windows\system\ATA.exe
49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOHV.exe.bat" "
50⤵
PID:4892

C:\windows\SysWOW64\LJOHV.exe
C:\windows\system32\LJOHV.exe
51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICQJ.exe.bat" "
52⤵
PID:2764

C:\windows\system\ICQJ.exe
C:\windows\system\ICQJ.exe
53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZWE.exe.bat" "
54⤵
PID:1276

C:\windows\SysWOW64\KZWE.exe
C:\windows\system32\KZWE.exe
55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SNI.exe.bat" "
56⤵
PID:2884

C:\windows\SysWOW64\SNI.exe
C:\windows\system32\SNI.exe
57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XFSNDDP.exe.bat" "
58⤵
PID:4280

C:\windows\XFSNDDP.exe
C:\windows\XFSNDDP.exe
59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLQK.exe.bat" "
60⤵
PID:3528

C:\windows\system\MLQK.exe
C:\windows\system\MLQK.exe
61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UYDQ.exe.bat" "
62⤵
PID:1860

C:\windows\system\UYDQ.exe
C:\windows\system\UYDQ.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CTTM.exe.bat" "
64⤵
PID:4872

C:\windows\SysWOW64\CTTM.exe
C:\windows\system32\CTTM.exe
65⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GJZMVNL.exe.bat" "
66⤵
PID:1408

C:\windows\system\GJZMVNL.exe
C:\windows\system\GJZMVNL.exe
67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WZAMC.exe.bat" "
68⤵
PID:4752

C:\windows\system\WZAMC.exe
C:\windows\system\WZAMC.exe
69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SAKO.exe.bat" "
70⤵
PID:560

C:\windows\SAKO.exe
C:\windows\SAKO.exe
71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNPXQE.exe.bat" "
72⤵
PID:3832

C:\windows\SysWOW64\NNPXQE.exe
C:\windows\system32\NNPXQE.exe
73⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EOVDDV.exe.bat" "
74⤵
PID:1288

C:\windows\system\EOVDDV.exe
C:\windows\system\EOVDDV.exe
75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYMTRY.exe.bat" "
76⤵
PID:3472

C:\windows\SysWOW64\SYMTRY.exe
C:\windows\system32\SYMTRY.exe
77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LMLZW.exe.bat" "
78⤵
PID:2028

C:\windows\LMLZW.exe
C:\windows\LMLZW.exe
79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AHC.exe.bat" "
80⤵
PID:4264

C:\windows\AHC.exe
C:\windows\AHC.exe
81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZAFUQBP.exe.bat" "
82⤵
PID:3924

C:\windows\ZAFUQBP.exe
C:\windows\ZAFUQBP.exe
83⤵
- Checks computer location settings
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WSHWCF.exe.bat" "
84⤵
PID:2816

C:\windows\SysWOW64\WSHWCF.exe
C:\windows\system32\WSHWCF.exe
85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLWHLX.exe.bat" "
86⤵
PID:5100

C:\windows\SysWOW64\PLWHLX.exe
C:\windows\system32\PLWHLX.exe
87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IOA.exe.bat" "
88⤵
PID:2260

C:\windows\IOA.exe
C:\windows\IOA.exe
89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QBNRBUD.exe.bat" "
90⤵
PID:2220

C:\windows\QBNRBUD.exe
C:\windows\QBNRBUD.exe
91⤵
- Checks computer location settings
- Executes dropped EXE
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AZSMICL.exe.bat" "
92⤵
PID:2544

C:\windows\system\AZSMICL.exe
C:\windows\system\AZSMICL.exe
93⤵
- Executes dropped EXE
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKVURI.exe.bat" "
94⤵
PID:3568

C:\windows\SysWOW64\YKVURI.exe
C:\windows\system32\YKVURI.exe
95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GPIIC.exe.bat" "
96⤵
PID:964

C:\windows\GPIIC.exe
C:\windows\GPIIC.exe
97⤵
- Executes dropped EXE
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSMEHXF.exe.bat" "
98⤵
PID:4244

C:\windows\system\ZSMEHXF.exe
C:\windows\system\ZSMEHXF.exe
99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGD.exe.bat" "
100⤵
PID:3952

C:\windows\SysWOW64\CGD.exe
C:\windows\system32\CGD.exe
101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LOFT.exe.bat" "
102⤵
PID:1872

C:\windows\system\LOFT.exe
C:\windows\system\LOFT.exe
103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KZI.exe.bat" "
104⤵
PID:2932

C:\windows\system\KZI.exe
C:\windows\system\KZI.exe
105⤵
- Checks computer location settings
- Executes dropped EXE
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OHOJZU.exe.bat" "
106⤵
PID:1832

C:\windows\system\OHOJZU.exe
C:\windows\system\OHOJZU.exe
107⤵
- Executes dropped EXE
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HHEUIN.exe.bat" "
108⤵
PID:2164

C:\windows\system\HHEUIN.exe
C:\windows\system\HHEUIN.exe
109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HNEIKA.exe.bat" "
110⤵
PID:4396

C:\windows\system\HNEIKA.exe
C:\windows\system\HNEIKA.exe
111⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RLKCZI.exe.bat" "
112⤵
PID:2612

C:\windows\system\RLKCZI.exe
C:\windows\system\RLKCZI.exe
113⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NQCSP.exe.bat" "
114⤵
PID:4072

C:\windows\NQCSP.exe
C:\windows\NQCSP.exe
115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEBQV.exe.bat" "
116⤵
PID:3540

C:\windows\SysWOW64\HEBQV.exe
C:\windows\system32\HEBQV.exe
117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "
118⤵
PID:1412

C:\windows\SysWOW64\CRGZXFG.exe
C:\windows\system32\CRGZXFG.exe
119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VJVKOGO.exe.bat" "
120⤵
PID:2632

C:\windows\VJVKOGO.exe
C:\windows\VJVKOGO.exe
121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UUYA.exe.bat" "
122⤵
PID:4428

C:\windows\UUYA.exe
C:\windows\UUYA.exe
123⤵
- Executes dropped EXE
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KNB.exe.bat" "
124⤵
PID:2252

C:\windows\KNB.exe
C:\windows\KNB.exe
125⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTTF.exe.bat" "
126⤵
PID:1252

C:\windows\system\PTTF.exe
C:\windows\system\PTTF.exe
127⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "
128⤵
PID:1548

C:\windows\system\CQTRYGC.exe
C:\windows\system\CQTRYGC.exe
129⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTXN.exe.bat" "
130⤵
PID:3688

C:\windows\SysWOW64\DTXN.exe
C:\windows\system32\DTXN.exe
131⤵
- Drops file in Windows directory
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWNL.exe.bat" "
132⤵
PID:1812

C:\windows\system\QWNL.exe
C:\windows\system\QWNL.exe
133⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WRZE.exe.bat" "
134⤵
PID:2636

C:\windows\WRZE.exe
C:\windows\WRZE.exe
135⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XUC.exe.bat" "
136⤵
PID:4156

C:\windows\XUC.exe
C:\windows\XUC.exe
137⤵
- Drops file in System32 directory
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INKTUN.exe.bat" "
138⤵
PID:772

C:\windows\SysWOW64\INKTUN.exe
C:\windows\system32\INKTUN.exe
139⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDLS.exe.bat" "
140⤵
PID:2220

C:\windows\SysWOW64\YDLS.exe
C:\windows\system32\YDLS.exe
141⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GRYZ.exe.bat" "
142⤵
PID:3716

C:\windows\GRYZ.exe
C:\windows\GRYZ.exe
143⤵
- Drops file in Windows directory
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QOD.exe.bat" "
144⤵
PID:4332

C:\windows\QOD.exe
C:\windows\QOD.exe
145⤵
- Drops file in System32 directory
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FER.exe.bat" "
146⤵
PID:4180

C:\windows\SysWOW64\FER.exe
C:\windows\system32\FER.exe
147⤵
- Drops file in System32 directory
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZUHOMR.exe.bat" "
148⤵
PID:2816

C:\windows\SysWOW64\GZUHOMR.exe
C:\windows\system32\GZUHOMR.exe
149⤵
- Checks computer location settings
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MVGAUAZ.exe.bat" "
150⤵
PID:3568

C:\windows\system\MVGAUAZ.exe
C:\windows\system\MVGAUAZ.exe
151⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFWYI.exe.bat" "
152⤵
PID:964

C:\windows\system\ZFWYI.exe
C:\windows\system\ZFWYI.exe
153⤵
- Drops file in System32 directory
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "
154⤵
PID:3208

C:\windows\SysWOW64\HTBFT.exe
C:\windows\system32\HTBFT.exe
155⤵
- Checks computer location settings
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOF.exe.bat" "
156⤵
PID:4828

C:\windows\system\IOF.exe
C:\windows\system\IOF.exe
157⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGU.exe.bat" "
158⤵
PID:1544

C:\windows\system\BGU.exe
C:\windows\system\BGU.exe
159⤵
- Drops file in Windows directory
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YHW.exe.bat" "
160⤵
PID:3140

C:\windows\YHW.exe
C:\windows\YHW.exe
161⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUBF.exe.bat" "
162⤵
PID:2676

C:\windows\SysWOW64\SUBF.exe
C:\windows\system32\SUBF.exe
163⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "
164⤵
PID:1080

C:\windows\system\LXFBJU.exe
C:\windows\system\LXFBJU.exe
165⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EQUUSV.exe.bat" "
166⤵
PID:4156

C:\windows\system\EQUUSV.exe
C:\windows\system\EQUUSV.exe
167⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGVLZ.exe.bat" "
168⤵
PID:2088

C:\windows\SysWOW64\UGVLZ.exe
C:\windows\system32\UGVLZ.exe
169⤵
- Drops file in Windows directory
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SRYB.exe.bat" "
170⤵
PID:3740

C:\windows\system\SRYB.exe
C:\windows\system\SRYB.exe
171⤵
- Checks computer location settings
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GBOAWZV.exe.bat" "
172⤵
PID:760

C:\windows\GBOAWZV.exe
C:\windows\GBOAWZV.exe
173⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUWLFAD.exe.bat" "
174⤵
PID:2632

C:\windows\system\ZUWLFAD.exe
C:\windows\system\ZUWLFAD.exe
175⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YNHBOG.exe.bat" "
176⤵
PID:332

C:\windows\SysWOW64\YNHBOG.exe
C:\windows\system32\YNHBOG.exe
177⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDISVCO.exe.bat" "
178⤵
PID:3040

C:\windows\SysWOW64\FDISVCO.exe
C:\windows\system32\FDISVCO.exe
179⤵
- Drops file in Windows directory
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVXDEDE.exe.bat" "
180⤵
PID:4612

C:\windows\system\YVXDEDE.exe
C:\windows\system\YVXDEDE.exe
181⤵
- Drops file in System32 directory
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOEOVWM.exe.bat" "
182⤵
PID:5096

C:\windows\SysWOW64\SOEOVWM.exe
C:\windows\system32\SOEOVWM.exe
183⤵
- Drops file in System32 directory
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJE.exe.bat" "
184⤵
PID:2316

C:\windows\SysWOW64\QJE.exe
C:\windows\system32\QJE.exe
185⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AHJ.exe.bat" "
186⤵
PID:3468

C:\windows\AHJ.exe
C:\windows\AHJ.exe
187⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IMWYSFG.exe.bat" "
188⤵
PID:5000

C:\windows\system\IMWYSFG.exe
C:\windows\system\IMWYSFG.exe
189⤵
- Checks computer location settings
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPAU.exe.bat" "
190⤵
PID:212

C:\windows\SysWOW64\IPAU.exe
C:\windows\system32\IPAU.exe
191⤵
- Drops file in Windows directory
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BLD.exe.bat" "
192⤵
PID:4476

C:\windows\BLD.exe
C:\windows\BLD.exe
193⤵
- Drops file in Windows directory
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ULT.exe.bat" "
194⤵
PID:1860

C:\windows\ULT.exe
C:\windows\ULT.exe
195⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VOJW.exe.bat" "
196⤵
PID:696

C:\windows\SysWOW64\VOJW.exe
C:\windows\system32\VOJW.exe
197⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GHEPJ.exe.bat" "
198⤵
PID:1940

C:\windows\GHEPJ.exe
C:\windows\GHEPJ.exe
199⤵
- Checks computer location settings
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXNOQY.exe.bat" "
200⤵
PID:2060

C:\windows\system\WXNOQY.exe
C:\windows\system\WXNOQY.exe
201⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QKS.exe.bat" "
202⤵
PID:1268

C:\windows\QKS.exe
C:\windows\QKS.exe
203⤵
- Drops file in System32 directory
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNA.exe.bat" "
204⤵
PID:2792

C:\windows\SysWOW64\DNA.exe
C:\windows\system32\DNA.exe
205⤵
- Drops file in Windows directory
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZSNAAG.exe.bat" "
206⤵
PID:3300

C:\windows\ZSNAAG.exe
C:\windows\ZSNAAG.exe
207⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DBHI.exe.bat" "
208⤵
PID:220

C:\windows\system\DBHI.exe
C:\windows\system\DBHI.exe
209⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTS.exe.bat" "
210⤵
PID:4076

C:\windows\system\TTS.exe
C:\windows\system\TTS.exe
211⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WHXIW.exe.bat" "
212⤵
PID:224

C:\windows\system\WHXIW.exe
C:\windows\system\WHXIW.exe
213⤵
- Drops file in Windows directory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YECC.exe.bat" "
214⤵
PID:3880

C:\windows\system\YECC.exe
C:\windows\system\YECC.exe
215⤵
- Checks computer location settings
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKPJ.exe.bat" "
216⤵
PID:1512

C:\windows\system\GKPJ.exe
C:\windows\system\GKPJ.exe
217⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QIUDVI.exe.bat" "
218⤵
PID:4516

C:\windows\SysWOW64\QIUDVI.exe
C:\windows\system32\QIUDVI.exe
219⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DSDU.exe.bat" "
220⤵
PID:4284

C:\windows\system\DSDU.exe
C:\windows\system\DSDU.exe
221⤵
- Drops file in System32 directory
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RQLFL.exe.bat" "
222⤵
PID:1152

C:\windows\SysWOW64\RQLFL.exe
C:\windows\system32\RQLFL.exe
223⤵
- Drops file in Windows directory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZEQMW.exe.bat" "
224⤵
PID:4508

C:\windows\ZEQMW.exe
C:\windows\ZEQMW.exe
225⤵
- Checks computer location settings
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NZBN.exe.bat" "
226⤵
PID:2160

C:\windows\NZBN.exe
C:\windows\NZBN.exe
227⤵
- Drops file in Windows directory
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXHH.exe.bat" "
228⤵
PID:4616

C:\windows\system\PXHH.exe
C:\windows\system\PXHH.exe
229⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JKMRBA.exe.bat" "
230⤵
PID:3024

C:\windows\JKMRBA.exe
C:\windows\JKMRBA.exe
231⤵
- Checks computer location settings
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YFXKH.exe.bat" "
232⤵
PID:4912

C:\windows\YFXKH.exe
C:\windows\YFXKH.exe
233⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NAH.exe.bat" "
234⤵
PID:4292

C:\windows\NAH.exe
C:\windows\NAH.exe
235⤵
- Checks computer location settings
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PYU.exe.bat" "
236⤵
PID:4596

C:\windows\system\PYU.exe
C:\windows\system\PYU.exe
237⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CWUUJV.exe.bat" "
238⤵
PID:2588

C:\windows\CWUUJV.exe
C:\windows\CWUUJV.exe
239⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IWCISX.exe.bat" "
240⤵
PID:4924

C:\windows\IWCISX.exe
C:\windows\IWCISX.exe
241⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OSN.exe.bat" "
242⤵
PID:5116

C:\windows\system\OSN.exe
C:\windows\system\OSN.exe
243⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\USVWP.exe.bat" "
244⤵
PID:1664

C:\windows\SysWOW64\USVWP.exe
C:\windows\system32\USVWP.exe
245⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EQB.exe.bat" "
246⤵
PID:4032

C:\windows\SysWOW64\EQB.exe
C:\windows\system32\EQB.exe
247⤵
- Checks computer location settings
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RVBCHA.exe.bat" "
248⤵
PID:900

C:\windows\RVBCHA.exe
C:\windows\RVBCHA.exe
249⤵
- Drops file in System32 directory
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDHC.exe.bat" "
250⤵
PID:4408

C:\windows\SysWOW64\VDHC.exe
C:\windows\system32\VDHC.exe
251⤵
- Drops file in Windows directory
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBV.exe.bat" "
252⤵
PID:2052

C:\windows\system\FBV.exe
C:\windows\system\FBV.exe
253⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NPA.exe.bat" "
254⤵
PID:2408

C:\windows\system\NPA.exe
C:\windows\system\NPA.exe
255⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPO.exe.bat" "
256⤵
PID:3832

C:\windows\system\FPO.exe
C:\windows\system\FPO.exe
257⤵
- Drops file in System32 directory
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCB.exe.bat" "
258⤵
PID:3708

C:\windows\SysWOW64\NCB.exe
C:\windows\system32\NCB.exe
259⤵
- Drops file in Windows directory
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZAHI.exe.bat" "
260⤵
PID:764

C:\windows\ZAHI.exe
C:\windows\ZAHI.exe
261⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XQO.exe.bat" "
262⤵
PID:3296

C:\windows\XQO.exe
C:\windows\XQO.exe
263⤵
- Checks computer location settings
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JRD.exe.bat" "
264⤵
PID:1732

C:\windows\JRD.exe
C:\windows\JRD.exe
265⤵
- Checks computer location settings
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PEVE.exe.bat" "
266⤵
PID:3452

C:\windows\system\PEVE.exe
C:\windows\system\PEVE.exe
267⤵
- Drops file in System32 directory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMV.exe.bat" "
268⤵
PID:2920

C:\windows\SysWOW64\OMV.exe
C:\windows\system32\OMV.exe
269⤵
- Drops file in System32 directory
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFYN.exe.bat" "
270⤵
PID:5036

C:\windows\SysWOW64\ZFYN.exe
C:\windows\system32\ZFYN.exe
271⤵
- Drops file in System32 directory
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISDT.exe.bat" "
272⤵
PID:4756

C:\windows\SysWOW64\ISDT.exe
C:\windows\system32\ISDT.exe
273⤵
- Drops file in System32 directory
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGIDFB.exe.bat" "
274⤵
PID:4784

C:\windows\SysWOW64\CGIDFB.exe
C:\windows\system32\CGIDFB.exe
275⤵
- Checks computer location settings
- Drops file in System32 directory
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRTTN.exe.bat" "
276⤵
PID:4956

C:\windows\SysWOW64\BRTTN.exe
C:\windows\system32\BRTTN.exe
277⤵
- Drops file in System32 directory
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJAEX.exe.bat" "
278⤵
PID:4628

C:\windows\SysWOW64\MJAEX.exe
C:\windows\system32\MJAEX.exe
279⤵
- Drops file in Windows directory
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UXNKH.exe.bat" "
280⤵
PID:1568

C:\windows\UXNKH.exe
C:\windows\UXNKH.exe
281⤵
- Drops file in Windows directory
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXPXLM.exe.bat" "
282⤵
PID:3920

C:\windows\system\LXPXLM.exe
C:\windows\system\LXPXLM.exe
283⤵
- Checks computer location settings
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SSA.exe.bat" "
284⤵
PID:3864

C:\windows\SSA.exe
C:\windows\SSA.exe
285⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WIHYD.exe.bat" "
286⤵
PID:5108

C:\windows\WIHYD.exe
C:\windows\WIHYD.exe
287⤵
- Drops file in Windows directory
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTKG.exe.bat" "
288⤵
PID:2124

C:\windows\system\UTKG.exe
C:\windows\system\UTKG.exe
289⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YBQOYR.exe.bat" "
290⤵
PID:4772

C:\windows\YBQOYR.exe
C:\windows\YBQOYR.exe
291⤵
- Drops file in Windows directory
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RTGZHS.exe.bat" "
292⤵
PID:3052

C:\windows\RTGZHS.exe
C:\windows\RTGZHS.exe
293⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BCI.exe.bat" "
294⤵
PID:636

C:\windows\BCI.exe
C:\windows\BCI.exe
295⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKO.exe.bat" "
296⤵
PID:5020

C:\windows\system\AKO.exe
C:\windows\system\AKO.exe
297⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VXTTI.exe.bat" "
298⤵
PID:4404

C:\windows\system\VXTTI.exe
C:\windows\system\VXTTI.exe
299⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NAFPVWQ.exe.bat" "
300⤵
PID:332

C:\windows\NAFPVWQ.exe
C:\windows\NAFPVWQ.exe
301⤵
- Drops file in Windows directory
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DQGOU.exe.bat" "
302⤵
PID:3956

C:\windows\DQGOU.exe
C:\windows\DQGOU.exe
303⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QTO.exe.bat" "
304⤵
PID:1588

C:\windows\QTO.exe
C:\windows\QTO.exe
305⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TBXB.exe.bat" "
306⤵
PID:776

C:\windows\SysWOW64\TBXB.exe
C:\windows\system32\TBXB.exe
307⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUGD.exe.bat" "
308⤵
PID:428

C:\windows\SysWOW64\TUGD.exe
C:\windows\system32\TUGD.exe
309⤵
- Drops file in Windows directory
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BAKJ.exe.bat" "
310⤵
PID:2220

C:\windows\BAKJ.exe
C:\windows\BAKJ.exe
311⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIMPRXI.exe.bat" "
312⤵
PID:4912

C:\windows\SysWOW64\SIMPRXI.exe
C:\windows\system32\SIMPRXI.exe
313⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTVNF.exe.bat" "
314⤵
PID:1972

C:\windows\SysWOW64\FTVNF.exe
C:\windows\system32\FTVNF.exe
315⤵
- Drops file in System32 directory
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EDGD.exe.bat" "
316⤵
PID:4332

C:\windows\SysWOW64\EDGD.exe
C:\windows\system32\EDGD.exe
317⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILMDAGO.exe.bat" "
318⤵
PID:3956

C:\windows\system\ILMDAGO.exe
C:\windows\system\ILMDAGO.exe
319⤵
- Drops file in Windows directory
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XBNDZ.exe.bat" "
320⤵
PID:5004

C:\windows\XBNDZ.exe
C:\windows\XBNDZ.exe
321⤵
- Drops file in Windows directory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PKCAL.exe.bat" "
322⤵
PID:968

C:\windows\PKCAL.exe
C:\windows\PKCAL.exe
323⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SSWI.exe.bat" "
324⤵
PID:2676

C:\windows\SSWI.exe
C:\windows\SSWI.exe
325⤵
- Checks computer location settings
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UQB.exe.bat" "
326⤵
PID:2188

C:\windows\SysWOW64\UQB.exe
C:\windows\system32\UQB.exe
327⤵
- Checks computer location settings
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGP.exe.bat" "
328⤵
PID:1708

C:\windows\system\SGP.exe
C:\windows\system\SGP.exe
329⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IVWWY.exe.bat" "
330⤵
PID:4052

C:\windows\SysWOW64\IVWWY.exe
C:\windows\system32\IVWWY.exe
331⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JTDFAC.exe.bat" "
332⤵
PID:4404

C:\windows\system\JTDFAC.exe
C:\windows\system\JTDFAC.exe
333⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JMMHOP.exe.bat" "
334⤵
PID:4760

C:\windows\SysWOW64\JMMHOP.exe
C:\windows\system32\JMMHOP.exe
335⤵
- Drops file in System32 directory
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VPX.exe.bat" "
336⤵
PID:4960

C:\windows\SysWOW64\VPX.exe
C:\windows\system32\VPX.exe
337⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZFDUJM.exe.bat" "
338⤵
PID:4856

C:\windows\ZFDUJM.exe
C:\windows\ZFDUJM.exe
339⤵
- Drops file in System32 directory
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZAOFS.exe.bat" "
340⤵
PID:1408

C:\windows\SysWOW64\ZAOFS.exe
C:\windows\system32\ZAOFS.exe
341⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLSD.exe.bat" "
342⤵
PID:3452

C:\windows\SysWOW64\MLSD.exe
C:\windows\system32\MLSD.exe
343⤵
- Checks computer location settings
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DLGIKFB.exe.bat" "
344⤵
PID:1864

C:\windows\DLGIKFB.exe
C:\windows\DLGIKFB.exe
345⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJFLWR.exe.bat" "
346⤵
PID:3952

C:\windows\system\UJFLWR.exe
C:\windows\system\UJFLWR.exe
347⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XROID.exe.bat" "
348⤵
PID:432

C:\windows\system\XROID.exe
C:\windows\system\XROID.exe
349⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMX.exe.bat" "
350⤵
PID:2052

C:\windows\SysWOW64\MMX.exe
C:\windows\system32\MMX.exe
351⤵
- Drops file in Windows directory
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VNZRRD.exe.bat" "
352⤵
PID:2248

C:\windows\VNZRRD.exe
C:\windows\VNZRRD.exe
353⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DAMGCC.exe.bat" "
354⤵
PID:1084

C:\windows\system\DAMGCC.exe
C:\windows\system\DAMGCC.exe
355⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HIS.exe.bat" "
356⤵
PID:3364

C:\windows\HIS.exe
C:\windows\HIS.exe
357⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1256
356⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 960
354⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 960
352⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1004
350⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 872
348⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 960
346⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1296
344⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 960
342⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1328
340⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 872
338⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1308
336⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1328
334⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1272
332⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1328
330⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 960
328⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 960
326⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 976
324⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1296
322⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1324
320⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1308
318⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 960
316⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1328
314⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1240
312⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 988
310⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 960
308⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 988
306⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 960
304⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 960
302⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1296
300⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1336
298⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1248
296⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1288
294⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 960
292⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1324
290⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1336
288⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 960
286⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 988
284⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 988
282⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1252
280⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1328
278⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1308
276⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1304
274⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1308
272⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1256
270⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 964
268⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 960
266⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 960
264⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 988
262⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1320
260⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1280
258⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1316
256⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1268
254⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1336
252⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 892
250⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 988
248⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1220
246⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1328
244⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 988
242⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 960
240⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 960
238⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1268
236⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1324
234⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1324
232⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1324
230⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1336
228⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 988
226⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1304
224⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1308
222⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 988
220⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 980
218⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 988
216⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1336
214⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 960
212⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 960
210⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1264
208⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 996
206⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1240
204⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 960
202⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 960
200⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 960
198⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1264
196⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1304
194⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 960
192⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 960
190⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1272
188⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 988
186⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 976
184⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 988
182⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 960
180⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1328
178⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1328
176⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 960
174⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1256
172⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 960
170⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1308
168⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 976
166⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 960
164⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 960
162⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1324
160⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 960
158⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1336
156⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1260
154⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1336
152⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1336
150⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1220
148⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 960
146⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1324
144⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1200
142⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 988
140⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 988
138⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1324
136⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 960
134⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1336
132⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 988
130⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 960
128⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1220
126⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 988
124⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1180
122⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 960
120⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1296
118⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1264
116⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1260
114⤵
- Program crash
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1216
112⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1336
110⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1308
108⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1304
106⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1216
104⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 960
102⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
100⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 976
98⤵
- Program crash
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 960
96⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1292
94⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1336
92⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1324
90⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 988
88⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1328
86⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1264
84⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 1316
82⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 976
80⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1324
78⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 960
76⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1336
74⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1308
72⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1324
70⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 988
68⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 988
66⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 960
64⤵
- Program crash
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1304
62⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1332
60⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1256
58⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1220
56⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1328
54⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 876
52⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1260
50⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 960
48⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1336
46⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1208
44⤵
- Program crash
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 960
42⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 988
40⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 872
38⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1336
36⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1336
34⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1296
32⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 988
30⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1304
28⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 960
26⤵
- Program crash
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1328
24⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 968
22⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1328
20⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 988
18⤵
- Program crash
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 960
16⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1324
14⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 960
12⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1012
10⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 960
8⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1336
6⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1328
4⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 948
2⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3588 -ip 3588
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2272 -ip 2272
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1276 -ip 1276
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 464 -ip 464
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1404 -ip 1404
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2260 -ip 2260
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1032 -ip 1032
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1400 -ip 1400
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4480 -ip 4480
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1736 -ip 1736
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4408 -ip 4408
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4856 -ip 4856
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1148 -ip 1148
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4612 -ip 4612
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4620 -ip 4620
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4988 -ip 4988
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4068 -ip 4068
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1660 -ip 1660
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3412 -ip 3412
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 964 -ip 964
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1288 -ip 1288
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4292 -ip 4292
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2260 -ip 2260
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4452 -ip 4452
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1756 -ip 1756
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2256 -ip 2256
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5036 -ip 5036
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4868 -ip 4868
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1556 -ip 1556
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4836 -ip 4836
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4408 -ip 4408
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1752 -ip 1752
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2868 -ip 2868
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3724 -ip 3724
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4620 -ip 4620
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1704 -ip 1704
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1084 -ip 1084
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3264 -ip 3264
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4260 -ip 4260
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4448 -ip 4448
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 224 -ip 224
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4564 -ip 4564
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4068 -ip 4068
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2636 -ip 2636
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1252 -ip 1252
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 60 -ip 60
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 992 -ip 992
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4944 -ip 4944
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1540 -ip 1540
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3452 -ip 3452
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3824 -ip 3824
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2252 -ip 2252
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4964 -ip 4964
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2136 -ip 2136
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 560 -ip 560
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2188 -ip 2188
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1688 -ip 1688
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 752 -ip 752
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4056 -ip 4056
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1124 -ip 1124
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4052 -ip 4052
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5092 -ip 5092
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 992 -ip 992
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4608 -ip 4608
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4068 -ip 4068
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2888 -ip 2888
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2020 -ip 2020
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3212 -ip 3212
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3952 -ip 3952
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1400 -ip 1400
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2160 -ip 2160
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1832 -ip 1832
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1512 -ip 1512
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3292 -ip 3292
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1176 -ip 1176
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 940 -ip 940
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4408 -ip 4408
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4672 -ip 4672
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4476 -ip 4476
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2124 -ip 2124
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3860 -ip 3860
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 556 -ip 556
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3716 -ip 3716
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3952 -ip 3952
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 432 -ip 432
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5020 -ip 5020
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1408 -ip 1408
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4460 -ip 4460
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3340 -ip 3340
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4596 -ip 4596
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3920 -ip 3920
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4804 -ip 4804
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2960 -ip 2960
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1364 -ip 1364
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2036 -ip 2036
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1732 -ip 1732
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4080 -ip 4080
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 964 -ip 964
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3556 -ip 3556
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2052 -ip 2052
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2544 -ip 2544
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4060 -ip 4060
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 332 -ip 332
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4472 -ip 4472
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2968 -ip 2968
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1500 -ip 1500
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2492 -ip 2492
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4884 -ip 4884
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4340 -ip 4340
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4476 -ip 4476
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1332 -ip 1332
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1724 -ip 1724
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3144 -ip 3144
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3716 -ip 3716
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2480 -ip 2480
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1752 -ip 1752
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1768 -ip 1768
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2676 -ip 2676
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3264 -ip 3264
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1812 -ip 1812
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2032 -ip 2032
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1708 -ip 1708
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3076 -ip 3076
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4480 -ip 4480
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3696 -ip 3696
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4344 -ip 4344
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3232 -ip 3232
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4820 -ip 4820
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3144 -ip 3144
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4564 -ip 4564
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3864 -ip 3864
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4068 -ip 4068
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2160 -ip 2160
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 640 -ip 640
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3468 -ip 3468
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 556 -ip 556
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3408 -ip 3408
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4072 -ip 4072
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1872 -ip 1872
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1140 -ip 1140
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4828 -ip 4828
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4060 -ip 4060
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1520 -ip 1520
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2492 -ip 2492
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4896 -ip 4896
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2692 -ip 2692
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4408 -ip 4408
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2052 -ip 2052
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2544 -ip 2544
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1152 -ip 1152
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2436 -ip 2436
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5060 -ip 5060
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4500 -ip 4500
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3992 -ip 3992
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3012 -ip 3012
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 216 -ip 216
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2536 -ip 2536
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4448 -ip 4448
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4384 -ip 4384
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3468 -ip 3468
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3556 -ip 3556
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3296 -ip 3296
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4912 -ip 4912
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4508 -ip 4508
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1156 -ip 1156
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3956 -ip 3956
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5116 -ip 5116
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 968 -ip 968
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2588 -ip 2588
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3312 -ip 3312
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1580 -ip 1580
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 760 -ip 760
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3440 -ip 3440
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4672 -ip 4672
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4856 -ip 4856
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5092 -ip 5092
1⤵
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BBNEAH.exe
Filesize
448KB

MD5
76492aa926ecd6e748b7f1de239845ae

SHA1
1ce187350848ca7f0a6d90a4c1c3022da3eb5da4

SHA256
312ee0c1aeaa7d0b255a7bb7e1279ab25506d117e86b29fc521793b202d2b1e2

SHA512
04ada836864a4faf18216f324d0613777c8e486af1c4f7cb0264efabadb4b6e2ed4461392f0e3245e1704132b4d878e59f391ddc4925cab55f4381d7bf4ecb22

Download Submit
C:\Windows\BKBBNY.exe
Filesize
448KB

MD5
b1e9161d07e956b0ec05fa53aa54b1d9

SHA1
ed67091525c911dd0fdc6fdbe6c38fa906804854

SHA256
ba49b28449a410cb1021b4d57926e285db226ee535cb888354af9cc242f60a2a

SHA512
25cb978f2581d2b1f8f29d0c6cc8ec4a54dcc9653dbba45d1d6432bd959c1a374ebbb0e1d5c12e030c8e985675402b6859fd9e8e7b4be7f11fc3304465f5bee3

Download Submit
C:\Windows\JDRYDGV.exe
Filesize
448KB

MD5
512d41adc2f742adcc5c267e5de2e9d7

SHA1
53b9e549852d584d8b6a3ce1705c4cb0324f1627

SHA256
4e4df2e92b6566515888508869f08e2c9e6e510bf3636e6f75e4e96f40cfcb94

SHA512
136a8429b81a9f054c1245bd0660ee58673b795aa89bb7b606f5fb74c6ec6807fdfaecefcfa99c364485f87811699f5a3d4830d0893c7736f5e49ee809a5d09b

Download Submit
C:\Windows\SysWOW64\DWEKYSG.exe
Filesize
448KB

MD5
9c8b97502962529b62dc16a844be68b0

SHA1
53ad28a0a636874bfe342f8b29e072f9d652410e

SHA256
4942b71e5bccec7f7f407c7f73d8e5c1ec138d3398869ca1ce4e21716cc23f52

SHA512
8c3716dd0c9d9cfe16005b45a706dafe3200bcf30cc5c7e8938f7bde79821c2e63f2ff0120d5b093f1541567ca20babe762154ed0ac8f7d315f29f4c469a1026

Download Submit
C:\Windows\SysWOW64\OPHVYZ.exe
Filesize
448KB

MD5
50dbcf03d1b9ca6c2a21ac97423be21a

SHA1
b1361dfc79961364fe5b15ab0781edf375b06568

SHA256
4d8960fff7513c103742a8d6ed9f61d85913ceb0f370661a7a5a578a8c5d2297

SHA512
bdbad8c53cad2cf20621875fa5f1a3a293f5d83fbdcf1be78d75bd0871b647916bdfef32ae6785c2ee85e4060ec7d423d1b484ae7d5efcdfb1ef266243621801

Download Submit
C:\Windows\SysWOW64\UEDGEN.exe
Filesize
448KB

MD5
83d166e6162ce81eb6c286a9177f15da

SHA1
e0b53261d0571355d5588c345c640a58859b3f52

SHA256
8002f4b2d6cf4ece9ab07beb1a76ddfd4612ea2e4a8e0bee46eed9d8980e7bb4

SHA512
447fee9c269359829564d80be87176fbf4770863f785b31dbf1664238e12a2d492422c564b96bddb6508275cfe938665cd11857d7abcb02a2d49782c9d451fd8

Download Submit
C:\Windows\SysWOW64\UOWZFK.exe
Filesize
448KB

MD5
c0024e2a8ab0b7003137f16d0b0e0e81

SHA1
c57254fb4430967c6e0dbcf46bb2db8bfb7cf95f

SHA256
81b721a15dab5e5e95ed41fbc7db009b1f838df486239570f850b5425c699ef6

SHA512
9d8e691b5026ea922ef2f11c03705a3b0c5213797cdc093976255716f1d7f243e9aa3044e66d778378d0f669421118c100d58cd6dbdb8171d7841d133aab2878

Download Submit
C:\Windows\SysWOW64\XIG.exe
Filesize
448KB

MD5
bf519954077e3008289dd23a073d2cce

SHA1
ecf379a8cb6a41f27fc885645802cd791ca96640

SHA256
699e0ef9492d3fe0cf6aff2d43d9a9fa4ef68b15467c9b998b8d35dd481363d6

SHA512
1e0f52a01a507257464872e63b961b754b4d1b973b4c225539f40f159d99bea9b9e5cf6305af3f642003e1a4019c6f6d76cc123d7390fa30036fed91ffff9deb

Download Submit
C:\Windows\SysWOW64\YLBN.exe
Filesize
448KB

MD5
1767aae2f9d579205b6cceebee9b9e64

SHA1
65844d3ab577bfc4a2149d47381b8e8f46c2b54e

SHA256
1c75710d9c691cb0bfd8eb1144d2a9b675b2371c5fe6678917da49c4ddf2685f

SHA512
66d54761f988921d9b4f0c668ea0021e7566115a1724072f120461b1e834786f775e49501ee49eb7f118d3e9376e4ebf81fe0b03b8cff48832c9b252e712e71e

Download Submit
C:\Windows\System\DRRPSBD.exe
Filesize
448KB

MD5
68c8a97e2c4c6a2cb4ded28bd7975581

SHA1
37388370cd480d448e9b78e9208b7f941ceaab37

SHA256
9d7b413e341107447f07f4c447af2d895b994d57b41e90eacd13a60e215c4e3b

SHA512
b56353cea008501b557e7186dfacca18032184338d998daca886acf494d103d6e00b4a0f99418cda85a9722c34d234b6b4eb2e0bbb0b90a6329a624cb535de58

Download Submit
C:\Windows\System\MIRTUM.exe
Filesize
448KB

MD5
a7f352a1fe3390963994597d3f02fd02

SHA1
6dc1c622688b157e24daf972e318033c931390ba

SHA256
21b1ad9e56a80b83e322dc72886e572cc3b63954535c298a35cee5748a9099fb

SHA512
ff056dcb6e21697cd9368b114f724da1db6cd9004a720086c7ab54a287e8a4748eae7b4068d5ccae438eb84defa894cde0218043cd944e6b43484f79ad3ad286

Download Submit
C:\Windows\System\OEB.exe
Filesize
448KB

MD5
f44076bcbe183b4cc4fb4aa692710ba2

SHA1
0cced4399f84c34d537ee5f55deca90a3b6330c5

SHA256
cef0bb61602c61ebf17c779b202efb80c33acc097ceead20b0e124b5c0f67afe

SHA512
39df102104a4c5952ac8d5f33f70fc6dab9fdc1f7944368f0769058ff0d5e7ad48df8a76aa805b7b1dc2943b24d24633a98ed7c75034c7c451af94eb5264fc90

Download Submit
C:\Windows\System\RDLQ.exe
Filesize
448KB

MD5
fce71130d5353187686229b2938c30fd

SHA1
6703745511fd4b3c023c8a58377c0bb175b5fc70

SHA256
940a95d532d39e1565a4bcb0d4cc7dc3dfeaf97b19d60fd45333a3db433d9ed8

SHA512
479532ed4a89083168b932340de8c4aa7358ee68974547006f511ac3f714e86d5b438e4359531fab9e4c795393f4f1e09064f9e35a0f46488cc9112b11f8fb24

Download Submit
C:\Windows\System\UXN.exe
Filesize
448KB

MD5
5b64f2ef53533381a72aba556a6a59d8

SHA1
d0ef801cc84dcd926de9cb59e7e06971cfa67642

SHA256
b11f95a214635f91bfe7a3bcf088d7f3028368d463c02e631d5672c373107ad1

SHA512
eef0a5d0f13699e03ae1bcb06058b018aaf740c2c1b0a50b694a194a11c95eadc23a9b120539a4848596a79caa88bef1042368b0374adb16dfd435628877d944

Download Submit
C:\Windows\System\XIYJP.exe
Filesize
448KB

MD5
ad4ae4ef6b5fbcf03086657b169a2f77

SHA1
419dbf59d60ec50dc6198f7eb4004f77967b516f

SHA256
ae8d30be6c6aec3fca0a94e740c116c09bdaa2398861f181e97da075db4381ef

SHA512
0f27c752ff718f83efe6a1ae77a20dc14001dd60d883f496027b8ea482887872c14cf7e20c54c50bd142a34b6632cb29944d2fe8d79be45406ab79f42703e368

Download Submit
C:\Windows\ZRYW.exe
Filesize
448KB

MD5
1fe0161d4586e968672647e7d17939bb

SHA1
81114132739dd7c42287280b4558de2f54f77d19

SHA256
cf924b4c1767163f259bc4055eab1991e02e77f2e7b6e5f3226264f4d39a42dc

SHA512
702fc71ba982e160997cbaef08caba4685a0f3964023276862fd8d83585799f5371ba531669b5892b105b4349fc9dea3987b2fa879ce1c9fe3e565cd33876e3c

Download Submit
C:\windows\BBNEAH.exe.bat
Filesize
58B

MD5
48fbb7add54e54bfaa7f68903efcbc42

SHA1
7804ae6c5ea0f1b666361fa9125fffab1c6a5f16

SHA256
eca0798abb167a08f0f4629244ce4a78160875a002c38032ded1ee05d8a1c0cd

SHA512
158d78358ac7c8540cc3f324ea0ecaec76f2a14b2ada06a7795126d2d64f99b9652d95918f6f26fa51ad379ca98e11e3da8cb84b974ac34788e3f298f6aa1c6d

Download Submit
C:\windows\BKBBNY.exe.bat
Filesize
58B

MD5
c743cd384a404b615d6461a448dd4d08

SHA1
ca3d75e21d731f62ced6e57d9335905ddf183429

SHA256
1b4f72b5888e9e13fbfcdd1285d12a002a8fcf21ae9b76decaa2e4a0f74cdd7e

SHA512
92e8eaba4d7ccb10cee18fd848ca617651ddb7468e81f08c3e72620887b94f43c7039b3351cb4c174492aa60b97fa8357e85010c32ae9a07869a859f5415ae2e

Download Submit
C:\windows\JDRYDGV.exe.bat
Filesize
60B

MD5
0660e97f2659d4e574a2afe446c08804

SHA1
dd9b6f1b5ed642d47a48c6e4ead4d63f71588674

SHA256
aa5d69fdfa33f2958816fb128d2fd8437b134c63c9a2e043cbab16ff9178a1a5

SHA512
b02ee6748d58769cc81a643f03f2578537c7cb0b965aeddf8d948cf4254e00e1e8893bf86b527343d6349a887056f698e9f699cfe932975b70045e054f2675a0

Download Submit
C:\windows\SysWOW64\AJIALH.exe.bat
Filesize
76B

MD5
a5eddf17c934bac86c14cf230ae9bcd2

SHA1
0f138342b4c690296004fcfcd0fe4e71338f2c04

SHA256
33021edd4d7c0c24f28c933e89a26a8d0ce8588fdc19768cff5cd134898f1790

SHA512
9a15873239f9b9ff09f7000ede7673d3f2eb1807a3c44549da0c87f9a38a1b316aaaa6e9e377080520c0f843f0c5b9442dd25377744ecb1badfc67ac770c2cb6

Download Submit
C:\windows\SysWOW64\BUEF.exe.bat
Filesize
72B

MD5
e6d72554f91e6b4a08bde0d1880471d6

SHA1
cb5e8cca1790254b42ee47bcc00e42988fd75df3

SHA256
1901c4c4a5065bf6130ec6c98d282163387810f83a863eb63e1248498bb104c8

SHA512
60db1a0a226b465f7e4b952cf6690140ffb0f2412e6f85349fd4b9e655c733004e5f43ce25af1317bdf3d9a34b225ea986d050461edecbf6d6cd2e812cbfee2d

Download Submit
C:\windows\SysWOW64\DWEKYSG.exe.bat
Filesize
78B

MD5
719ba5c17c17ae13dc4d1d8d6a0355b7

SHA1
28e1aba505611bf76dace9f0acafae1fd7f7796e

SHA256
6c48ddbeeab3cd2e50266fb2a79b65c25f1d59805b1d3fc08e128ef961e8ae61

SHA512
e0bbd14d21078c7aea01ad6dacf56fe324dc61d67834830bbe28df2729e4e4e72249d4719e1c7221a8c968532ae5b91ccf223d9c3e858b7cd3276b24d29ac202

Download Submit
C:\windows\SysWOW64\JAI.exe.bat
Filesize
70B

MD5
d461872a5e8574587a44301dc5cb17bb

SHA1
63478b95cfe0f79e4254638546f93904bf8718d8

SHA256
ebe70d5f0da7a87175285fbe5216e01912f5adff61f9586a939b612ad4708c65

SHA512
5d6d7c3a388c57bee3041d5ffc0f73c499ec81e648a99dd2d1095d3fbc6fe53c7dcfec390e3028ab387a79ddc88fbfe7d792281a2dd14f5d830cf22d21d46536

Download Submit
C:\windows\SysWOW64\OPHVYZ.exe.bat
Filesize
76B

MD5
a2abdcd4f0484f8111e47c3a65755b91

SHA1
8b8f2fafbaf30a7305f59dfda2fad20a2f1c0743

SHA256
a8ce863e2faa25079d55b46a0f44e993f23c240975a96a6add00997d8b819f3f

SHA512
efab0469e9cc6591403d6bc4a191ed6e821d38b427b6b74b416f6099fe845545b6619296277b3e4f0940bd3fbe1fb3b60212b2510fba4cb80c8100b899ed1572

Download Submit
C:\windows\SysWOW64\UEDGEN.exe.bat
Filesize
76B

MD5
999d688ef4e59b8993c4070cffc7fd72

SHA1
87862637a99e62f9cdc1069b43ab30350d7d1277

SHA256
03a75ac2d12032e77808c9e7f0e2a524239fbd5105910b70092682125cc6407b

SHA512
260b8818e74bb4b0d25f48909cb955cc55003571afd83bb705ccc43fd8684bf6c813115f24d72158696772f62558ac703975b13cd373207ff53bca6e545e0670

Download Submit
C:\windows\SysWOW64\UOWZFK.exe.bat
Filesize
76B

MD5
c57d1f8de13a4732d64d36e7abb0dba9

SHA1
7f53652b615ff736370b6e7f4d91b3be7962b9ac

SHA256
0eefae889ce0d88a852531c53281473a7468a76862e00c42a6618f944825c36f

SHA512
1b90dff5c195bf8f7f54116f4c5cb7b19810d8d5c8eaba22124f27cb88eeeb64e07023478aff119b16a928580bcbd615e1d466365b7fa73c3b44d4d256824978

Download Submit
C:\windows\SysWOW64\WVS.exe
Filesize
448KB

MD5
44a8146c9f5f8bdcd300069ffa5cf682

SHA1
2f37d522f3ea2a2296a4298ec4fc8cad0434fa00

SHA256
827921690e4c794226608db0d0bd3cd8fea28303adc45893233a7583a7a3a4e9

SHA512
d944bd87333bcd6f3ff2789ffe89c62a7beb5a18e2506733bd0dd6c09b60d67dad238c798bbd28c172a837e8b31bcaab35f2028c574b47713fa04f9f4b8a9ad8

Download Submit
C:\windows\SysWOW64\WVS.exe.bat
Filesize
70B

MD5
a4a2ebab54b4d3f83812cbb708360e48

SHA1
a3149dc90f4b8e6d29459b886d3d49ada19bf487

SHA256
3e3cbea934bba5ebdf149817651b5a86554a2f002b836aa860d3ffc10d0c74e9

SHA512
52ca15f9770878be49d3ccdab0856280444d4ffc31954b179ab6872b912ac71300816277c7bb38953ad3380b258af0525a4e98174bdf18d4fba03ddfbf079498

Download Submit
C:\windows\SysWOW64\XIG.exe.bat
Filesize
70B

MD5
1fbc79481cb51b47efec9046463ac0d4

SHA1
48688453fe3945822e0f3cdc2ae7d0969336bfab

SHA256
76bea560f63474a20b43082279e25c7c9cd3c8fb6cd5bf0ab61256b0788d4084

SHA512
8eb9dea36b6f0515af17b9046ece20feb16078f8f82336aa1a6ac7af293e272ef170c5190f335ce5be71bc406e9fd3a52faa64c32117604f0676e852cc2c578e

Download Submit
C:\windows\SysWOW64\YLBN.exe.bat
Filesize
72B

MD5
734db4f23c68de087eca97f07cce31ae

SHA1
04d04521a073f078f3e5261649331f32371cb898

SHA256
5e637751394923db730b58e2eeba5389b4f566cb783644b8b46c28dd04f575d4

SHA512
61996e9de8d5577da3630f7f3ccb048a4308383b080dfecfe9e9cf62f24f4f4bd000069313a620f2a95ea84e630f93d8fd17823108b225f4dd6d7393960fa529

Download Submit
C:\windows\ZRYW.exe.bat
Filesize
54B

MD5
a38d11db7395dadca633eb04a26f8b43

SHA1
d8e5680e254aaf6c28ac5ac9b8c5d9971dcb9b75

SHA256
4755ef2c7f8227bd46a5cda6bae02350b92729d8f7acf583f2a0b52aa86f364b

SHA512
d1f0a32578c600b8404259d4c9cd3fb39b01cee3de940406abced30eb4beb727704b920b4b7865316dce9b8eade72edc8fdf9ad06d4449cd1ee0e97cad1d8fe8

Download Submit
C:\windows\system\DRRPSBD.exe.bat
Filesize
74B

MD5
be90bb015123273e1338e5dcc03ee93f

SHA1
d5778ab8821e9c1beb6121dcff258b09154e2add

SHA256
d18b935872ff3ef041bc2228fea13b221f699fa46978a39081a98b8c5b70930a

SHA512
d69528e9dc370bb036954b74b8e97919ae690eb9294c533db0af38924f832ea4881094f69f80ea5d29a46eeb9e0fde13f9574086eab67e08f2c76e782bae9173

Download Submit
C:\windows\system\MIRTUM.exe.bat
Filesize
72B

MD5
9462089192074fb235dd072eef1612c7

SHA1
30e1a779be49693b25153f56367832138649dd4a

SHA256
b849cf2f61f170d4b76544a03fa3d937cdd78f38e9b8218d7dc36b3a0b304122

SHA512
1151d013c4eb53dd897df871a3798c71d4f4f8dc3fc5c55f7b209decdd2b6e3469755e0b3ac1b3c47884173e0b9f4b76aaad1233c627c41a6bdac876ad4afff7

Download Submit
C:\windows\system\OEB.exe.bat
Filesize
66B

MD5
74c98b1d080c2f035d56e33f56d2b9b6

SHA1
3f80690cd6d254e1d721b286a311eba063d12f26

SHA256
2516263139dc8233b903fe9915611ec314719dcb4ee132f61e26e7d2101fb70f

SHA512
23b1fcf7e9ddfb5a4e09aa42b03c8da67ea7d1429edbce65143852a58dbc9fb7fd719a93c35c1cf5fff13c3d5c25141e619c1bb1e8baad857c618cf1383b4b8a

Download Submit
C:\windows\system\RDLQ.exe.bat
Filesize
68B

MD5
da41598553700bd21422f63c2cd70328

SHA1
21b27404c886e04868d278d0dc13065bff0c7e7a

SHA256
032d91055abd2eeef41427732b3cf193b1b1445316d45ab1a5b6c85f24400b2a

SHA512
30c0a337ada27a6945aae0a28df44956acd82f4db7243bb9bb65399105035a873ed3351448aa1f397f04a3171d10e92a535d715be6a53218e9bc057f641f5d34

Download Submit
C:\windows\system\TFIWM.exe
Filesize
448KB

MD5
1e0e439d247932c3c0057b6e7dc2cdb2

SHA1
005a087c6a1dbe9544a9b7f0e6b8ca3df02aa6fd

SHA256
01d1be5b3ae6c59b594b092ac440004030483a8811c3756b3a61c44c306c36cd

SHA512
b257134a8c90a9565e545e9616e905c70820fa165be496826cdb2f1613ef8b902df53fa14b49a6e0c0ada2a34c2cb17d13385b8c9689cb72228f097a313d4cd8

Download Submit
C:\windows\system\TFIWM.exe.bat
Filesize
70B

MD5
4b2509a0bbc38a513863bf73666875a2

SHA1
5806350d42dc6d81119a76ff456500a203543eef

SHA256
d857efb402a3ced5f0a8fdf410552b99511ccd256aecf5348ac7328342f4a538

SHA512
ef6b1f8ca401bf24943ce58af52fe7c184a6bdf4995ac6a39c1851b6294b68b8ceab881abeac34d7176c711f7c13ab9883e3aed910de0eb3a23f24804c947de9

Download Submit
C:\windows\system\UXN.exe.bat
Filesize
66B

MD5
75810f562da07d5f185bc72380e79133

SHA1
d2127cfe1adc17dcd601cf5affe39313762e0e81

SHA256
9e3e4cc9135f15f996c015a05b0524e406bd2ccec701ddff6d5e0aa2ef8e961e

SHA512
ec26b66ada8b3e00afc94e955bcfcc4cf2b27666bcd83e8ae3ad38f6898e765a48140abeab9ad6d453dd3179c61beebcd4ec032bb3bfc117c4122a972bae972f

Download Submit
C:\windows\system\XIYJP.exe.bat
Filesize
70B

MD5
8bcac77ae35c5db47a1152f1a470f21f

SHA1
96e4845db16287d2687089b8b7e215cefe26af86

SHA256
748f37e4b2011a1ba0c210ed9a28e91e60662507e1a3d0559e3c16729455a42d

SHA512
307a9991fdcfc8f530a58e33746055476441bbcc9ad3b2749f4930d9abf1246a81c96c622a59bd0e1f210ef67d0acb7f679b8cf551edfecc468043d968fecbbe

Download Submit
C:\windows\system\ZGTDBM.exe
Filesize
448KB

MD5
4d52a99c69e64cd0f1f6019db771a1b4

SHA1
0b87fbc0f82afd239999eaf59574f344acc7dcb7

SHA256
ec15c0fb1862c7a8b5c3d8ece4103b9abbbab6405fb5360392c147302e488a6b

SHA512
ae1eab68ab3aff892aaf4248f9fcafd23951fab930044b9c0d2a7c56931592e77ee501a52a1ff9bd058c2fae4e7de50064b5b63f23c7aa1d91fcbb05ea232667

Download Submit
C:\windows\system\ZGTDBM.exe.bat
Filesize
72B

MD5
42db76f92be75f13761f1c37532f1502

SHA1
3a5f0eac2ca2c012751763358c6061e255c479eb

SHA256
1d54b6ffd7c4eac7d35d12ce4b1d53267741bdaaaf0cc2831a1aa862dfc4ab9b

SHA512
f0e76fa22d4393a1c9e37bd1336615a171e219842bfb927511b421fe401f6112da836e12ef8ff2cc4ba63397de17be989c412d1d2033bab442726f9c5a75953e

Download Submit
memory/60-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/224-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/224-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/464-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/464-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/992-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1148-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1148-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1252-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1252-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1276-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1276-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1288-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1288-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1556-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1556-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1704-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1704-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1736-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1736-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2272-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2272-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-483-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3264-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3264-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3724-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3724-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4260-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4260-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4856-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4856-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-330-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4928-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4928-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5036-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5036-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download